SB2023070326 - Multiple vulnerabilities in MediaTek chipsets

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2023070326

SB2023070326 - Multiple vulnerabilities in MediaTek chipsets

Published: July 3, 2023

Security Bulletin ID SB2023070326
Severity
Low
Patch available
YES
Number of vulnerabilities 24
Exploitation vector Local access
Highest impact Code execution

Breakdown by Severity

Low 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 24 secuirty vulnerabilities.


1) Improper Authentication (CVE-ID: CVE-2023-20772)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a missing permission check within vow. A local application can execute arbitrary code.


2) Improper input validation (CVE-ID: CVE-2023-20748)

The vulnerability allows a local privileged application to gain access to sensitive information.

The vulnerability exists due to a missing bounds check within display. A local privileged application can gain access to sensitive information.


3) Improper input validation (CVE-ID: CVE-2022-32666)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to misrepresentation of critical information within Wi-Fi. A local application can perform service disruption.


4) Use of Obsolete Function (CVE-ID: CVE-2023-20693)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to an uncaught exception within wlan. A local application can perform service disruption.


5) NULL Pointer Dereference (CVE-ID: CVE-2023-20692)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to an uncaught exception within wlan. A local application can perform service disruption.


6) Integer Overflow to Buffer Overflow (CVE-ID: CVE-2023-20691)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to an integer overflow within wlan. A local application can perform service disruption.


7) Integer Overflow to Buffer Overflow (CVE-ID: CVE-2023-20690)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to an integer overflow within wlan. A local application can perform service disruption.


8) Integer Overflow to Buffer Overflow (CVE-ID: CVE-2023-20689)

The vulnerability allows a local application to perform service disruption.

The vulnerability exists due to an integer overflow within wlan. A local application can perform service disruption.


9) Buffer overflow (CVE-ID: CVE-2023-20775)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within display. A local privileged application can execute arbitrary code.


10) Improper input validation (CVE-ID: CVE-2023-20774)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within display. A local privileged application can execute arbitrary code.


11) Improper Authentication (CVE-ID: CVE-2023-20773)

The vulnerability allows a local application to execute arbitrary code.

The vulnerability exists due to a missing permission check within vow. A local application can execute arbitrary code.


12) Improper Synchronization (CVE-ID: CVE-2023-20771)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a race condition within display. A local privileged application can execute arbitrary code.


13) Integer overflow (CVE-ID: CVE-2023-20754)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to an integer overflow within keyinstall. A local privileged application can execute arbitrary code.


14) Type confusion (CVE-ID: CVE-2023-20768)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to type confusion within ion. A local privileged application can execute arbitrary code.


15) Improper input validation (CVE-ID: CVE-2023-20767)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within pqframework. A local privileged application can execute arbitrary code.


16) Improper input validation (CVE-ID: CVE-2023-20766)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within gps. A local privileged application can execute arbitrary code.


17) Improper input validation (CVE-ID: CVE-2023-20761)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within ril. A local privileged application can execute arbitrary code.


18) Improper input validation (CVE-ID: CVE-2023-20760)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within apu. A local privileged application can execute arbitrary code.


19) Improper input validation (CVE-ID: CVE-2023-20759)

The vulnerability allows a local privileged application to perform service disruption.

The vulnerability exists due to a missing bounds check within cmdq. A local privileged application can perform service disruption.


20) Improper input validation (CVE-ID: CVE-2023-20758)

The vulnerability allows a local privileged application to perform service disruption.

The vulnerability exists due to a missing bounds check within cmdq. A local privileged application can perform service disruption.


21) Improper input validation (CVE-ID: CVE-2023-20757)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a missing bounds check within cmdq. A local privileged application can execute arbitrary code.


22) Integer overflow (CVE-ID: CVE-2023-20756)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to an integer overflow within keyinstall. A local privileged application can execute arbitrary code.


23) Out-of-bounds write (CVE-ID: CVE-2023-20753)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to a logic error within rpmb. A local privileged application can execute arbitrary code.


24) Improper input validation (CVE-ID: CVE-2023-20755)

The vulnerability allows a local privileged application to execute arbitrary code.

The vulnerability exists due to an integer overflow within keyinstall. A local privileged application can execute arbitrary code.


Remediation

Install update from vendor's website.

References